When ‎a user opens their wallet app, they will be redirected ‎to download a fake update created by scammers.

It seems that popular bitcoin wallet Electrum is having issues. A litany of concerned users are reporting their wallets have suddenly been drained out – without any notification or action on their side.

At least 240 BTC (worth around $1 million) was transferred to several blockchain wallets (14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5) which were then consolidated and moved to another address (1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj).

Electrum users immediately began warning one another on Twitter and Reddit. They said when ‎the user opens his wallet app, he will be redirected ‎to download a fake update on a resource similar in design, but created by scammers. When ‎entering a login and password, the site steals funds from user ‎accounts.‎

According to the multitude of Reddit posts, a hacker (or hacker group) set up tens of malicious servers to the Electrum wallet network. And when a user logs into his legitimate Electrum wallets and tries to initiate a transaction, the malicious server shows an error message claiming that he must download a wallet app update from a malicious GitHub page.

After installing the fake update and trying to log back in again, the malicious Electrum wallet asks him for a 2-factor authentication code. This is a red flag, as Electrum only asks for two-factor codes when a user is attempting to send funds to a recipient, and not at wallet startup. Actually, this action is the last step to steal the user’s funds and transfer them to the thieves’ wallets.

The issue was first brought to light after a Reddit user reported his funds missing after using the Electrum wallet app – despite taking every measure to ensure they were indeed using the real thing. Soon after this post, a handful of posts surfaced to warn other users of the security breach.

Suggested articles

A Reddit user explains how it works

Posting on Reddit, a user called “u/normal_rc” explained how the hacker gained access to Electrum wallets and stole victims’ balances. The post explains how thieves preyed upon their victims using a very simple technique: He wrote:

The hacker setup [sic] a whole bunch of malicious servers.

If someone’s Electrum Wallet connected to one of those servers, and tried to send a BTC transaction, they would see an official-looking message telling them to update their Electrum Wallet, along with a scam URL.

The Electrum team confirmed the attack on Twitter, but the exact scale ‎of the problem is still not defined and stated that the phishing attack is still ongoing.‎

Electrum is free software that’s used by numerous cryptocurrency sites, including merchants and exchanges, to store bitcoin. Anyone can run an Electrum server and the software supports hardware wallets such as Trezor, Ledger, and Keepkey.